Question 401973 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – How to persist an AWS CLI session on a non AWS server?

On my local development machine, i am developing a .NET app with the AWS SDK to use a particular service.
In order for the app to communicate with AWS, i first run the AWS CLI with a particular IAM user that has been set up prior.
By default, this IAM user which is set up for this purpose has a 1 hour expiry. Meaning that after one hour of running the aws configure SSO command it will stop working.

Eventually i wish to deploy the app for use on a web server that is outside Amazon’s environment. I imagine this involves installing the AWS CLI and running the same command initially. But what i dont want to happen is for the session to ever expire. Otherwise a human would have to manually remote into the server run the command and validate the MFA code and so on.

I cannot find any information online on how to set up a permanent AWS connection (whether the session refreshes automatically or the original one persists is of no matter). The only resources i can find relate to "long term credentials" but the documentation suggests this is bad practice.

So how does one do this in real life? How can AWS CLI be configured to always run on a server without having to worry about session expiry?

Tags:

2

Answers


  1. 0

    Use IAM Roles to provide secure AWS access on non-AWS systems. If IAM Roles are not an option, save credentials in AWS Secrets Manager or Parameter Store and change them on a regularly.

    Useful links:

    IAM Roles

    AWS Secrets Manager

    AWS Systems Manager Parameter Store

    Login or Signup to reply.
  2. 0

    From What is AWS Identity and Access Management Roles Anywhere? – IAM Roles Anywhere:

    You can use AWS Identity and Access Management Roles Anywhere to obtain temporary security credentials in IAM for workloads such as servers, containers, and applications that run outside of AWS. Your workloads can use the same IAM policies and IAM roles that you use with AWS applications to access AWS resources. Using IAM Roles Anywhere means you don’t need to manage long-term credentials for workloads running outside of AWS.

    To use IAM Roles Anywhere, your workloads must use X.509 certificates issued by your certificate authority (CA). You register the CA with IAM Roles Anywhere as a trust anchor to establish trust between your public-key infrastructure (PKI) and IAM Roles Anywhere.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search